RE: break in?
Date: 11/15/05

  • Next message: Logan Greenlee: "RE: RE: break in? - terminal services on alternate port"
    To: "'Paul Greene'" <>, <>
    Date: Mon, 14 Nov 2005 22:53:57 -0500

    Check out RootKitRevealer from SysInternals

    It is freeware and interesting software. Will help you check out if you have any rootkits installed on the box.

    Also make sure to look at successful logon events, failure will happen often when you leave your box opened to the net...

    -----Original Message-----
    From: Paul Greene []
    Sent: November 12, 2005 12:19 AM
    Subject: break in?


    I have a Win2K domain controller running on my home network that had Terminal Services enabled through my firewall so that I could
    access the box from my office at work. I had configured the firewall to only all TS access from the IP block of the company where I
    work. (the firewall is an openbsd box that also acts as the gateway to my ISP)

    Well, I went out on a road trip and allowed TS access from "any" so that I could access the DC from my hotel room, and then forgot
    to restrict access again when finished. Ooops!! Big mistake.

    I was looking through Event viewer troubleshooting another issue a few days ago, then noticed a whole bunch of failed administrator
    logins in the security logs. Oh, crap what happened now. I ran Symantec AV, Spybot search and destroy, and Adware and none of them
    found anything. I ran MS Update service and realized I was out of date on several patches (going back about 2 months worth of

    Another ominous sign was that the DC had two printers configured that I use at the office, but I have never configured a printer for
    this DC. I deleted the printers, and they came right back.

    I wanted to see what was going on with the DC, so rather than wipe it clean and re-install, I locked the firewall down real tight
    and started logging everything to see if the DC was going to try to "phone home"
    somewhere. I'm only allowing outgoing http access to the MS Update site, and outgoing DNS queries (UDP port 53) because this is also
    the dns server for the network.

    More ominous signs. The server was trying a few times a day to make connection attempts to some outbound websites and ftp sites.
    Some of the IP addresses were located in Rumania and Poland. All connection attempts were getting blocked and logged.

    Based on these symptoms, can anyone tell me what happened? In particular, for educations sake, can anyone tell what the specific
    exploit that was used in this case, and possibly a reference where I can go analyze further what happened?

    I don't have anything especially valuable on this server, so I won't lose much by wiping it and starting over again. I think I've
    also locked it down enough now with firewall ACL's that some turkey isn't going to be stealing my bandwidth for some nefarious
    purpose either.

    Thanks in advance,

    Paul Greene



  • Next message: Logan Greenlee: "RE: RE: break in? - terminal services on alternate port"

    Relevant Pages

    • Re: CEICW fails at firewall config
      ... Do you or do you not have ISA 2000 or ISA 2004 installed on the SBS server? ... Do you have 2 NICs in the SBS? ... CEICW fails on firewall configuration every time. ... >>> Call to Creating the protected networks access rule returned ok. ...
    • Re: Recycler security issues on IIS server
      ... > latest upates to the server. ... > like to see the server put behind our firewall, ... other software, install all patches, IISlockdown, URLscan, use the correct ... the procedures you follow may vary depending on your security needs. ...
      ... I delete the nat/basic firewall and stop and started the RRAS an tried to ... There were no critical events in the DNS Server Log in the last 24 hours. ... An error occurred during logon ... Caller User Name: - ...
    • Re: For Microsoft Partners and Customers Who Cant Download or Access
      ... to reconfigure the firewall, but to use a static IP on your client ... and to make sure that the DNS server entries on the client are ... Microsoft for ... use a static IP and set the DNS server addresses to the DNS ...
    • Re: login attempts
      ... > Every day i have on my win2000 iternet server a lots of wrong login ... Windows by default allows ... You also need a firewall. ... the internet, except for those ports you know you're using. ...